Cisco Fixes Zero Day, Other Vulnerabilities

Friday, August 19, 2016 @ 03:08 PM gHale

Cisco cleared a bunch of vulnerabilities, including a Zero Day.

The fixes focus on exploits released online by The Shadow Brokers, which is selling hacking tools stolen from the Equation Group, a cyber-espionage outfit believed to have ties with the National Security Agency (NSA).

Hacking tools from The Shadow Brokers leak named EPICBANANA, JETPLOW, and EXTRABACON, contain exploits that can compromise Cisco devices.

These affect Cisco firewall products such as devices from the ASA line, PIX firewalls, and Cisco Firewall Services Modules (FWSM).

These hacking tools contain exploits that leverage two vulnerabilities, one Cisco knew about, and one they didn’t, Cisco officials said.

The Zero Day vulnerability is CVE-2016-6366. This vulnerability is in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) software, Cisco said.

The vulnerability can allow an unauthenticated, remote attacker to cause a reboot of affected products, which leads to remote code execution (RCE). RCE flaws are some of the most dangerous security flaws because they enable a skilled attacker to take over the device.

Cisco also said they found code that tried to exploit an older Cisco vulnerability, CVE-2016-6367, which the company fixed in 2011.

This is a vulnerability in the command-line interface (CLI) parser of Cisco Adaptive Security Appliance (ASA) Software that could allow an authenticated, local attacker to create a denial of service (DoS) condition or potentially execute arbitrary code on the affected device.

The company reissued this alert to remind businesses around the world to upgrade the firmware on their devices.

Cisco responded very well to the Shadow Brokers leak, which was dumped online on August 13 but made news headlines around the world on Monday, August 15.

The company’s engineers sifted through all the data dumped online by the hackers, isolated the exploits that affected its devices, and analyzed their features.

According to Cisco’s Omar Santos, the Zero Day was in the Equation Group’s EXTRABACON utility while the older vulnerability was inside EPICBANANA and JETPLOW. Santos claims JETPLOW is an enhanced version of EPICBANANA, with better persistence capabilities.

Fortinet, another firewall equipment vendor for which The Shadow Brokers leaked exploits, also said it patched the vulnerabilities included in the EGREGIOUSBLUNDER exploit and recommended customers to upgrade to FortiGuard versions 5.x.

WatchGuard addressed the issue of the ESCALATEPLOWMAN exploit, which targeted RapidStream devices, a company which WatchGuard acquired in 2002. These products ended up discontinued, and the exploit did not affect WatchGuard native products, the company said.